NetworkManager package update

Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org>
6 years ago · 96063fbf48
3 changed files with 576 additions and 1 deletions
--- a/SOURCES/0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch
+++ b/SOURCES/0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch
@ -0,0 +1,506 @@
				@@ -0,0 +1,506 @@
+From 0d4220fa98fbbd8aa0944a6ed87122b579716ff5 Mon Sep 17 00:00:00 2001
+From: Thomas Haller <thaller@redhat.com>
+Date: Mon, 10 Sep 2018 15:22:28 +0200
+Subject: [PATCH 1/9] systemd/dhcp: fix assertion starting DHCP client without
+ MAC address
+
+An assertion in dhcp_network_bind_raw_socket() is triggered when
+starting an sd_dhcp_client without setting setting a MAC address
+first.
+
+  - sd_dhcp_client_start()
+    - client_start()
+      - client_start_delayed()
+        - dhcp_network_bind_raw_socket()
+
+In that case, the arp-type and MAC address is still unset. Note that
+dhcp_network_bind_raw_socket() already checks for a valid arp-type
+and MAC address below, so we should just gracefully return -EINVAL.
+
+Maybe sd_dhcp_client_start() should fail earlier when starting without
+MAC address. But the failure here will be correctly propagated and
+the start aborted.
+
+See-also: https://github.com/systemd/systemd/pull/10054
+(cherry picked from commit 34af574d5810ab2b0d6d354cbc28135cde4a55b1)
+(cherry picked from commit 0a797bdc2a592385a21e7ed918c08ef54a346d99)
+(cherry picked from commit f37ed84ca495ee212b1e82b9c5a5682c4acfebcd)
+---
+ src/systemd/src/libsystemd-network/dhcp-network.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/src/systemd/src/libsystemd-network/dhcp-network.c b/src/systemd/src/libsystemd-network/dhcp-network.c
+index 90fe29d04..80e9577cd 100644
+--- a/src/systemd/src/libsystemd-network/dhcp-network.c
+++ b/src/systemd/src/libsystemd-network/dhcp-network.c
+@@ -128,8 +128,6 @@ int dhcp_network_bind_raw_socket(int ifindex, union sockaddr_union *link,
+         const uint8_t *bcast_addr = NULL;
+         uint8_t dhcp_hlen = 0;
+ 
+-        assert_return(mac_addr_len > 0, -EINVAL);
+-
+         if (arp_type == ARPHRD_ETHER) {
+                 assert_return(mac_addr_len == ETH_ALEN, -EINVAL);
+                 memcpy(&eth_mac, mac_addr, ETH_ALEN);
+-- 
+2.17.1
+
+
+From ee92f8164c0ecee86cec104240f0bbe155901891 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Sun, 30 Sep 2018 20:23:58 +0900
+Subject: [PATCH 2/9] dhcp6: check option length before reading values
+
+Fixes oss-fuzz#10746
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10746.
+
+https://github.com/systemd/systemd/pull/10213
+https://github.com/systemd/systemd/commit/84452783b8bcc44e0dbb7fa6ddc6dad8c064bdfe
+(cherry picked from commit 484e92e17f93aa9658944dc886d420ef32bc625e)
+(cherry picked from commit 0cec1cb93edd2efa6bee8e2ec1000d94a86ec61e)
+(cherry picked from commit 8b8b248679ee17b5c8e68fb8e8e6f6cd3ec32f03)
+---
+ src/systemd/src/libsystemd-network/dhcp6-internal.h  |  2 +-
+ src/systemd/src/libsystemd-network/dhcp6-option.c    | 11 ++++++-----
+ src/systemd/src/libsystemd-network/sd-dhcp6-client.c |  2 +-
+ 3 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/systemd/src/libsystemd-network/dhcp6-internal.h b/src/systemd/src/libsystemd-network/dhcp6-internal.h
+index f1cbd6a4f..06e2e5324 100644
+--- a/src/systemd/src/libsystemd-network/dhcp6-internal.h
+++ b/src/systemd/src/libsystemd-network/dhcp6-internal.h
+@@ -91,7 +91,7 @@ int dhcp6_option_append_pd(uint8_t *buf, size_t len, DHCP6IA *pd);
+ int dhcp6_option_append_fqdn(uint8_t **buf, size_t *buflen, const char *fqdn);
+ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,
+                        size_t *optlen, uint8_t **optvalue);
+-int dhcp6_option_parse_status(DHCP6Option *option);
+int dhcp6_option_parse_status(DHCP6Option *option, size_t len);
+ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia);
+ int dhcp6_option_parse_ip6addrs(uint8_t *optval, uint16_t optlen,
+                                 struct in6_addr **addrs, size_t count,
+diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
+index a8a56463a..e462b7083 100644
+--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
+@@ -249,10 +249,11 @@ int dhcp6_option_parse(uint8_t **buf, size_t *buflen, uint16_t *optcode,
+         return 0;
+ }
+ 
+-int dhcp6_option_parse_status(DHCP6Option *option) {
+int dhcp6_option_parse_status(DHCP6Option *option, size_t len) {
+         DHCP6StatusOption *statusopt = (DHCP6StatusOption *)option;
+ 
+-        if (be16toh(option->len) + sizeof(DHCP6Option) < sizeof(*statusopt))
+        if (len < sizeof(DHCP6StatusOption) ||
+            be16toh(option->len) + sizeof(DHCP6Option) < sizeof(DHCP6StatusOption))
+                 return -ENOBUFS;
+ 
+         return be16toh(statusopt->status);
+@@ -279,7 +280,7 @@ static int dhcp6_option_parse_address(DHCP6Option *option, DHCP6IA *ia,
+         }
+ 
+         if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*addr_option)) {
+-                r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options);
+                r = dhcp6_option_parse_status((DHCP6Option *)addr_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*addr_option));
+                 if (r != 0)
+                         return r < 0 ? r: 0;
+         }
+@@ -319,7 +320,7 @@ static int dhcp6_option_parse_pdprefix(DHCP6Option *option, DHCP6IA *ia,
+         }
+ 
+         if (be16toh(option->len) + sizeof(DHCP6Option) > sizeof(*pdprefix_option)) {
+-                r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options);
+                r = dhcp6_option_parse_status((DHCP6Option *)pdprefix_option->options, be16toh(option->len) + sizeof(DHCP6Option) - sizeof(*pdprefix_option));
+                 if (r != 0)
+                         return r < 0 ? r: 0;
+         }
+@@ -464,7 +465,7 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
+ 
+                 case SD_DHCP6_OPTION_STATUS_CODE:
+ 
+-                        status = dhcp6_option_parse_status(option);
+                        status = dhcp6_option_parse_status(option, optlen);
+                         if (status) {
+                                 log_dhcp6_client(client, "IA status %d",
+                                                  status);
+diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+index ca03f580e..b82e3f45f 100644
+--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+@@ -828,7 +828,7 @@ static int client_parse_message(
+                         break;
+ 
+                 case SD_DHCP6_OPTION_STATUS_CODE:
+-                        status = dhcp6_option_parse_status(option);
+                        status = dhcp6_option_parse_status(option, optlen);
+                         if (status) {
+                                 log_dhcp6_client(client, "%s Status %s",
+                                                  dhcp6_message_type_to_string(message->type),
+-- 
+2.17.1
+
+
+From a944785f244e92094eb4379cf12e76f5205037d3 Mon Sep 17 00:00:00 2001
+From: Evgeny Vereshchagin <evvers@ya.ru>
+Date: Sat, 29 Sep 2018 03:06:10 +0000
+Subject: [PATCH 3/9] dhcp6: fix an off-by-one error in
+ dhcp6_option_parse_domainname
+
+==14==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200055fa9c at pc 0x0000005458f1 bp 0x7ffc78940d90 sp 0x7ffc78940d88
+READ of size 1 at 0x60200055fa9c thread T0
+    #0 0x5458f0 in dhcp6_option_parse_domainname /work/build/../../src/systemd/src/libsystemd-network/dhcp6-option.c:555:29
+    #1 0x54706e in dhcp6_lease_set_domains /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-lease.c:242:13
+    #2 0x53fce0 in client_parse_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:984:29
+    #3 0x53f3bc in client_receive_advertise /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1083:13
+    #4 0x53d57f in client_receive_message /work/build/../../src/systemd/src/libsystemd-network/sd-dhcp6-client.c:1182:21
+    #5 0x7f0f7159deee in source_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3042:21
+    #6 0x7f0f7159d431 in sd_event_dispatch /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3455:21
+    #7 0x7f0f7159ea8d in sd_event_run /work/build/../../src/systemd/src/libsystemd/sd-event/sd-event.c:3512:21
+    #8 0x531f2b in fuzz_client /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:44:9
+    #9 0x531bc1 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-dhcp6-client.c:53:9
+    #10 0x57bec8 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:570:15
+    #11 0x579d67 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:479:3
+    #12 0x57dc92 in fuzzer::Fuzzer::MutateAndTestOne() /src/libfuzzer/FuzzerLoop.cpp:707:19
+    #13 0x580ca6 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:838:5
+    #14 0x55e968 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:764:6
+    #15 0x551a1c in main /src/libfuzzer/FuzzerMain.cpp:20:10
+    #16 0x7f0f701a082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
+    #17 0x41e928 in _start (/out/fuzz-dhcp6-client+0x41e928)
+
+https://github.com/systemd/systemd/pull/10200
+https://github.com/systemd/systemd/commit/b387d3c1327a3ad2a2509bd3d3491e674392ff21
+(cherry picked from commit 7cb7cffc4962245a32e87017bcf264005c043250)
+(cherry picked from commit cd3aacefdd0b91741b7b2e7b5ee5baab210addd9)
+(cherry picked from commit 5b140a77bc7b01dc002dbf28a7a2507a27a63d7c)
+---
+ src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
+index e462b7083..ff1cbf13d 100644
+--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
+@@ -566,7 +566,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
+                                 /* Literal label */
+                                 label = (const char *)&optval[pos];
+                                 pos += c;
+-                                if (pos > optlen)
+                                if (pos >= optlen)
+                                         return -EMSGSIZE;
+ 
+                                 if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {
+-- 
+2.17.1
+
+
+From fc04015063d44a61b85bdf2c2648d9ac9fb4a446 Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 27 Sep 2018 18:04:59 +0900
+Subject: [PATCH 4/9] sd-dhcp-lease: fix memleaks
+
+(cherry picked from commit e2975f854831d08a25b4f5eb329b6d04102e115f)
+(cherry picked from commit 157094abd83f933fad142758a7d177cfa1a347f7)
+(cherry picked from commit 3fd9d11619a5e60d375076fbe13851dd1d3a4a63)
+---
+ src/systemd/src/libsystemd-network/sd-dhcp-lease.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c
+index 33a0796a8..841d07926 100644
+--- a/src/systemd/src/libsystemd-network/sd-dhcp-lease.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp-lease.c
+@@ -279,6 +279,8 @@ sd_dhcp_lease *sd_dhcp_lease_unref(sd_dhcp_lease *lease) {
+                 free(option);
+         }
+ 
+        free(lease->root_path);
+        free(lease->timezone);
+         free(lease->hostname);
+         free(lease->domainname);
+         free(lease->dns);
+-- 
+2.17.1
+
+
+From ae56f71f5bd4233f335ec4c2a5172b59be3d80ca Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Thu, 27 Sep 2018 23:48:51 +0900
+Subject: [PATCH 5/9] dhcp6: fix buffer size checking
+
+(cherry picked from commit cb1bdeaf56852275e6b0dd1fba932bb174767f70)
+(cherry picked from commit 91fb1673d5217aaf1461998fd2675630f5c265f9)
+(cherry picked from commit 15a3c6c692ee0125d4673df42ef8986e9e3d69c7)
+---
+ src/systemd/src/libsystemd-network/sd-dhcp6-client.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+index b82e3f45f..b65c31171 100644
+--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+@@ -776,8 +776,8 @@ static int client_parse_message(
+                 uint8_t *optval;
+                 be32_t iaid_lease;
+ 
+-                if (len < offsetof(DHCP6Option, data) ||
+-                    len < offsetof(DHCP6Option, data) + be16toh(option->len))
+                if (len < pos + offsetof(DHCP6Option, data) ||
+                    len < pos + offsetof(DHCP6Option, data) + be16toh(option->len))
+                         return -ENOBUFS;
+ 
+                 optcode = be16toh(option->code);
+-- 
+2.17.1
+
+
+From 9babde953073b460d8bcda13329c60a0a74cdc3c Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 19 Oct 2018 03:44:56 +0900
+Subject: [PATCH 6/9] sd-dhcp6: fix argument and error handling of
+ dhcp6_option_parse_status()
+
+(cherry picked from commit 91c43f3978fa7c8341550b9ca279e460ba7e74e6)
+(cherry picked from commit 373cbfc8c6e9591b3c8cc12d58c4b31ac35ab24f)
+(cherry picked from commit 0e93fd895daa6f0f578ffa8fc4ed3e0ea85c62e8)
+(cherry picked from commit 6ea13fc82523bebaa08cf2ab8404e751a654261f)
+---
+ src/systemd/src/libsystemd-network/dhcp6-option.c    | 10 ++++++----
+ src/systemd/src/libsystemd-network/sd-dhcp6-client.c |  9 +++++----
+ 2 files changed, 11 insertions(+), 8 deletions(-)
+
+diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
+index ff1cbf13d..cfddefcb5 100644
+--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
+@@ -465,13 +465,15 @@ int dhcp6_option_parse_ia(DHCP6Option *iaoption, DHCP6IA *ia) {
+ 
+                 case SD_DHCP6_OPTION_STATUS_CODE:
+ 
+-                        status = dhcp6_option_parse_status(option, optlen);
+-                        if (status) {
+                        status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
+                        if (status < 0) {
+                                r = status;
+                                goto error;
+                        }
+                        if (status > 0) {
+                                 log_dhcp6_client(client, "IA status %d",
+                                                  status);
+ 
+-                                dhcp6_lease_free_ia(ia);
+-
+                                 r = -EINVAL;
+                                 goto error;
+                         }
+diff --git a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+index b65c31171..15c4f445f 100644
+--- a/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp6-client.c
+@@ -828,13 +828,14 @@ static int client_parse_message(
+                         break;
+ 
+                 case SD_DHCP6_OPTION_STATUS_CODE:
+-                        status = dhcp6_option_parse_status(option, optlen);
+-                        if (status) {
+                        status = dhcp6_option_parse_status(option, optlen + sizeof(DHCP6Option));
+                        if (status < 0)
+                                return status;
+
+                        if (status > 0) {
+                                 log_dhcp6_client(client, "%s Status %s",
+                                                  dhcp6_message_type_to_string(message->type),
+                                                  dhcp6_message_status_to_string(status));
+-                                dhcp6_lease_free_ia(&lease->ia);
+-                                dhcp6_lease_free_ia(&lease->pd);
+ 
+                                 return -EINVAL;
+                         }
+-- 
+2.17.1
+
+
+From 19b82104da425efdb9ad0207ccabf5a1a091b81a Mon Sep 17 00:00:00 2001
+From: Yu Watanabe <watanabe.yu+github@gmail.com>
+Date: Fri, 19 Oct 2018 03:42:10 +0900
+Subject: [PATCH 7/9] sd-dhcp6: make dhcp6_option_parse_domainname() not store
+ empty domain
+
+This improves performance of fuzzer.
+C.f. oss-fuzz#11019.
+
+(cherry picked from commit 3c72b6ed4252e7ff5f7704bfe44557ec197b47fa)
+(cherry picked from commit 50403cccee28c7dcd54b138a0d3b3f69ea0204fe)
+(cherry picked from commit f11f5abb1a8b96b553d2d156f8b5cf440695c04d)
+(cherry picked from commit c836279fca80fb22ca7ef02acaa5b987fee61123)
+---
+ .../src/libsystemd-network/dhcp6-option.c     | 66 ++++++++-----------
+ 1 file changed, 29 insertions(+), 37 deletions(-)
+
+diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
+index cfddefcb5..be5c22237 100644
+--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
+@@ -555,6 +555,7 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
+                 bool first = true;
+ 
+                 for (;;) {
+                        const char *label;
+                         uint8_t c;
+ 
+                         c = optval[pos++];
+@@ -562,47 +563,41 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
+                         if (c == 0)
+                                 /* End of name */
+                                 break;
+-                        else if (c <= 63) {
+-                                const char *label;
+-
+-                                /* Literal label */
+-                                label = (const char *)&optval[pos];
+-                                pos += c;
+-                                if (pos >= optlen)
+-                                        return -EMSGSIZE;
+-
+-                                if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX)) {
+-                                        r = -ENOMEM;
+-                                        goto fail;
+-                                }
+-
+-                                if (first)
+-                                        first = false;
+-                                else
+-                                        ret[n++] = '.';
+-
+-                                r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
+-                                if (r < 0)
+-                                        goto fail;
+-
+-                                n += r;
+-                                continue;
+-                        } else {
+-                                r = -EBADMSG;
+-                                goto fail;
+-                        }
+-                }
+                        if (c > 63)
+                                return -EBADMSG;
+
+                        /* Literal label */
+                        label = (const char *)&optval[pos];
+                        pos += c;
+                        if (pos >= optlen)
+                                return -EMSGSIZE;
+
+                        if (!GREEDY_REALLOC(ret, allocated, n + !first + DNS_LABEL_ESCAPED_MAX))
+                                return -ENOMEM;
+
+                        if (first)
+                                first = false;
+                        else
+                                ret[n++] = '.';
+
+                        r = dns_label_escape(label, c, ret + n, DNS_LABEL_ESCAPED_MAX);
+                        if (r < 0)
+                                return r;
+ 
+-                if (!GREEDY_REALLOC(ret, allocated, n + 1)) {
+-                        r = -ENOMEM;
+-                        goto fail;
+                        n += r;
+                 }
+ 
+                if (n == 0)
+                        continue;
+
+                if (!GREEDY_REALLOC(ret, allocated, n + 1))
+                        return -ENOMEM;
+
+                 ret[n] = 0;
+ 
+                 r = strv_extend(&names, ret);
+                 if (r < 0)
+-                        goto fail;
+                        return r;
+ 
+                 idx++;
+         }
+@@ -610,7 +605,4 @@ int dhcp6_option_parse_domainname(const uint8_t *optval, uint16_t optlen, char *
+         *str_arr = TAKE_PTR(names);
+ 
+         return idx;
+-
+-fail:
+-        return r;
+ }
+-- 
+2.17.1
+
+
+From 7dd0b1ae8cc44a6e3c91dc921a278f939d045f0d Mon Sep 17 00:00:00 2001
+From: Li Song <song.li@honeywell.com>
+Date: Fri, 19 Oct 2018 13:41:51 -0400
+Subject: [PATCH 8/9] sd-dhcp: remove unreachable route after rebinding return
+ NAK
+
+(cherry picked from commit cc3981b1272b9ce37e7d734a7b2f42e84acac535)
+(cherry picked from commit 915c2f675a23b2ae16d292d1ac570706f76b384d)
+(cherry picked from commit cb77290a696dce924e2a993690634986ac035490)
+(cherry picked from commit f211b140a5861ddedc2424946e3ab07d3b642b5f)
+---
+ src/systemd/src/libsystemd-network/sd-dhcp-client.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/systemd/src/libsystemd-network/sd-dhcp-client.c b/src/systemd/src/libsystemd-network/sd-dhcp-client.c
+index c2f81e1c4..c28025410 100644
+--- a/src/systemd/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/systemd/src/libsystemd-network/sd-dhcp-client.c
+@@ -1649,6 +1649,8 @@ static int client_handle_message(sd_dhcp_client *client, DHCPMessage *message, i
+                         client->timeout_resend =
+                                 sd_event_source_unref(client->timeout_resend);
+ 
+                        client_notify(client, SD_DHCP_CLIENT_EVENT_EXPIRED);
+
+                         r = client_initialize(client);
+                         if (r < 0)
+                                 goto error;
+-- 
+2.17.1
+
+
+From 5a89e393279e8d0c8c2943b4cce99b91c5ebe903 Mon Sep 17 00:00:00 2001
+From: Lennart Poettering <lennart@poettering.net>
+Date: Fri, 19 Oct 2018 12:12:33 +0200
+Subject: [PATCH 9/9] dhcp6: make sure we have enough space for the DHCP6
+ option header
+
+Fixes a vulnerability originally discovered by Felix Wilhelm from
+Google.
+
+CVE-2018-15688
+LP: #1795921
+https://bugzilla.redhat.com/show_bug.cgi?id=1639067
+
+(cherry picked from commit 4dac5eaba4e419b29c97da38a8b1f82336c2c892)
+(cherry picked from commit 01ca2053bbea09f35b958c8cc7631e15469acb79)
+(cherry picked from commit fc230dca139142f409d7bac99dbfabe9b004e2fb)
+(cherry picked from commit cc1e5a7f5731f223d1eb8473fa0eecbedfc0ae5f)
+---
+ src/systemd/src/libsystemd-network/dhcp6-option.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/systemd/src/libsystemd-network/dhcp6-option.c b/src/systemd/src/libsystemd-network/dhcp6-option.c
+index be5c22237..22970443d 100644
+--- a/src/systemd/src/libsystemd-network/dhcp6-option.c
+++ b/src/systemd/src/libsystemd-network/dhcp6-option.c
+@@ -105,7 +105,7 @@ int dhcp6_option_append_ia(uint8_t **buf, size_t *buflen, DHCP6IA *ia) {
+                 return -EINVAL;
+         }
+ 
+-        if (*buflen < len)
+        if (*buflen < offsetof(DHCP6Option, data) + len)
+                 return -ENOBUFS;
+ 
+         ia_hdr = *buf;
+-- 
+2.17.1
+
--- a/SOURCES/1003-manager-accept-non-null-device-for-VPN-activations-rh1641174.patch
+++ b/SOURCES/1003-manager-accept-non-null-device-for-VPN-activations-rh1641174.patch
@ -0,0 +1,58 @@
				@@ -0,0 +1,58 @@
+From 7b6c55fb10c8f500a79075a66d6f5387199392be Mon Sep 17 00:00:00 2001
+From: Beniamino Galvani <bgalvani@redhat.com>
+Date: Fri, 6 Jul 2018 15:54:16 +0200
+Subject: [PATCH] manager: accept non-null device for VPN activations
+
+Commit 10753c36168a ("manager: merge VPN handling into
+_new_active_connection()") added a check to fail the activation of
+VPNs when a device is passed to ActivateConnection(), since the device
+argument is ignored for VPNs.
+
+This broke activating VPNs from nm-applet as nm-applet sets both the
+specific_object (parent-connection) and device arguments in the
+activation request.
+
+Note that we already check in _new_active_connection() that when a
+device is supplied, it matches the device of the parent
+connection. Therefore, the check can be dropped.
+
+Reported-by: Michael Biebl <biebl@debian.org>
+Fixes: 10753c36168a82cd658df8a7da800960fddd78ed
+
+https://github.com/NetworkManager/NetworkManager/pull/159
+(cherry picked from commit e205664ba8c25939f1678d1b078a67989c180046)
+(cherry picked from commit 9748aef7c7982ad1fe377ab6fc64255fcdb52762)
+---
+ src/nm-manager.c | 16 +---------------
+ 1 file changed, 1 insertion(+), 15 deletions(-)
+
+diff --git a/src/nm-manager.c b/src/nm-manager.c
+index 0fea13de6..289dcf838 100644
+--- a/src/nm-manager.c
+++ b/src/nm-manager.c
+@@ -4611,21 +4611,7 @@ validate_activation_request (NMManager *self,
+ 		}
+ 	}
+ 
+-	if (is_vpn && device) {
+-		/* VPN's are treated specially. Maybe the should accept a device as well,
+-		 * however, later on during activation, we don't handle the device.
+-		 *
+-		 * Maybe we should, and maybe it makes sense to specify a device
+-		 * when activating a VPN. But for now, just error out.  */
+-		g_set_error_literal (error,
+-		                     NM_MANAGER_ERROR,
+-		                     NM_MANAGER_ERROR_UNKNOWN_DEVICE,
+-		                     "Cannot specify device when activating VPN");
+-		return NULL;
+-	}
+-
+-	nm_assert (   ( is_vpn && !device)
+-	           || (!is_vpn && NM_IS_DEVICE (device)));
+	nm_assert (is_vpn || NM_IS_DEVICE (device));
+ 
+ 	*out_device = device;
+ 	*out_is_vpn = is_vpn;
+-- 
+2.17.1
+
--- a/SPECS/NetworkManager.spec
+++ b/SPECS/NetworkManager.spec
@ -10,7 +10,7 @@
				@@ -10,7 +10,7 @@
 %global epoch_version 1
 %global rpm_version 1.12.0
 %global real_version 1.12.0
-%global release_version 6
+%global release_version 8
 %global snapshot %{nil}
 %global git_sha %{nil}

@ -124,10 +124,12 @@ Patch5: 0005-ibft-cap-sys-admin-rh1371201.patch
				@@ -124,10 +124,12 @@ Patch5: 0005-ibft-cap-sys-admin-rh1371201.patch
 Patch6: 0006-support-aes256-private-keys-rh1623798.patch
 Patch7: 0007-core-fix-wireless-bitrate-property-name-on-D-Bus-rh1626391.patch
 Patch8: 0008-dns-dnsmsaq-avoid-crash-no-rev-domains-rh1628576.patch
+Patch9: 0009-dhcp-internal-fixes-cve-2018-15688-rh1643984.patch

 Patch1000: 1000-cli-remove-assertion-in-nmc_device_state_to_color.patch
 Patch1001: 1001-translations-rh1569438.patch
 Patch1002: 1002-cli-fix-reading-vpn.secrets.-from-passwd-file.patch
+Patch1003: 1003-manager-accept-non-null-device-for-VPN-activations-rh1641174.patch

 # The pregenerated docs contain default values and paths that depend
 # on the configure options when creating the source tarball.
@ -320,7 +322,9 @@ devices.
				@@ -320,7 +322,9 @@ devices.
 Summary: Open vSwitch device plugin for NetworkManager
 Group: System Environment/Base
 Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release}
+%if 0%{?rhel} == 0
 Requires: openvswitch
+%endif

 %description ovs
 This package contains NetworkManager support for Open vSwitch bridges.
@ -886,6 +890,13 @@ fi
				@@ -886,6 +890,13 @@ fi


 %changelog
+* Fri Nov  2 2018 Thomas Haller <thaller@redhat.com> - 1:1.12.0-8
+- dhcp: fix out-of-bounds heap write for DHCPv6 with internal plugin (CVE-2018-15688)
+
+* Mon Oct 22 2018 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.0-7
+- manager: accept non-null device for VPN activations (rh #1641174)
+- drop dependency of NetworkManager-ovs on openvswitch (rh #1633190)
+
 * Sat Sep 15 2018 Beniamino Galvani <bgalvani@redhat.com> - 1:1.12.0-6
 - dns: dnsmasq: avoid crash when no reverse domains exist (rh #1628576)
 - initscripts: fix ownership of ifup/ifdown executables (rh #1626517)